I bricked (and recovered) the Meraki Z1

I bricked (and recovered) the Meraki Z1

I purchased a used Meraki Z1 on eBay (~ $70) because it is supported by LEDE and seems to be pretty good hardware. It has 4 GbE LAN ports, 1 WAN port, and dual-concurrent 802.11n radios 2×2 MIMO. The LEDE support is important because I am not paying Cisco a yearly license to put my device in their cloud. Unfortunately, while flashing it the first time around I ended up with a brick.


TL;DR

Bricked after using beta build on Github. Lesson learned – Build from source.

  1. Build from source
  2. Follow directions and flash
  3. Win

Read More Read More

Purism Librem 13 Ordered

Purism Librem 13 Ordered

I have been happy with my Lenovo x230 up until this point, but was really looking for a 1080p screen, NVMe support, and USB-C. Purism recently started supporting Coreboot and added an i7 processor to the 13″ model which helped sway my decision on purchasing a new laptop.

It certainly was not a cheap purchase, nevertheless I am glad that they are supporting Coreboot and working on reverse engineering Intel ME. Hopefully they will continue to contribute to open source and their work on freedom-respecting computers. I believe in voting with your dollars and want to see more current hardware supported by Coreboot in the future.

The i7 models are currently back ordered, but it sounds like my new laptop should ship sometime in August or September. I may decide to write up a simple review or comparison to the x230 once it arrives.

https://puri.sm/

Free the Meraki MR24 w/ LEDE Project

Free the Meraki MR24 w/ LEDE Project

The LEDE Project (“Linux Embedded Development Environment”) is a Linux operating system based on OpenWrt.
https://lede-project.org/start

I have used OpenWrt in the past and had not heard of the LEDE Project until I was researching the ability to reflash Meraki gear. I picked up a couple Meraki MR24s for cheap on ebay after finding out they were supported. The hardware is a 3×3 MIMO 802.11n access point which supports up to 900 Mbps. If you are not familiar with Meraki, it is cloud based gear that is managed from the cloud and requires users to purchase a yearly license.

A GitHub user named riptidewave93 posted code and a flashing guide to liberate the Meraki and convert it to a standard access point. His work was merged into the LEDE Project, but has not made it into OpenWRT yet.

His flashing process is pretty straight forward, but doesn’t cover the UART pins which can be found here:

To open the case you need a T6 Torx bit and I used a knife to pry the metal case past the plastic.

On the other side I hooked up my USB to Serial adapter and booted into LEDE.

Some of the information was all over the place which is why I consolidated it here. The AP has been working great and it is worth the cost if you are looking for an enterprise level Wireless-N device.

Separating Work/Life Data

Separating Work/Life Data

As a system administrator I deal with a lot of different systems and accounts on a daily basis. Over the last six months I have been struggling with the idea of splitting work from my personal life. I would like to keep them separate, but the thought of carrying two laptops makes me cringe.

Qubes OS aims to solve this problem and many others by splitting these actives into different AppVMs. Qubes OS 3.2 was released recently and I thought now would be a good time to try switching.

After installing Qubes, I had it create the basic AppVMs. These included untrusted, personal, and work. I am a big fan of Debian so I switched all the default VMs to the debain-8 template. The last step was to configure my personal and work AppVMs which included a new LastPass account and adding some applications to the template.

Now I will work on getting used to the new work flow and plan on adding interesting information to the blog as I run across it.

screenshot_2016-11-30_16-54-53

Uninstalling PE from agent nodes

Uninstalling PE from agent nodes

At work we switched from using Puppet Enterprise to Ansible for a variety of reasons. After the switch I disabled the Puppet agents, but never got around to uninstalling all of them.

Recently, I ran into an issue where one server suddenly turned the Puppet agent back on and reverted changes that were made. I decided it was time to clean up the mess, but Puppet requires files from the server in order to uninstall the agent and my server was long gone.

This document covers the agent uninstall process: https://docs.puppet.com/pe/latest/install_uninstalling.html#uninstalling-pe-from-agent-nodes

I uploaded the necessary files here, in order to prevent myself or other people from installing Puppet Enterprise again to retrieve them: pe-uninstall.zip

ansibleThe next step was to create an Ansible job to copy these to the server and run the uninstall script. Easy.

https://bitbucket.org/blissjoe/ansible-remove-peagent/overview


---
- hosts: puppet
  become: true
  tasks:
  
  - name: check for pe-agent
    command: rpm -q pe-agent
    register: rpm_check
    ignore_errors: true
    
  - block:  
    - name: copy uninstall script
      copy: src=files/puppet/puppet-enterprise-uninstaller dest=/tmp/puppet-enterprise-uninstaller mode="u+rwx"
    
    - name: copy utils and answers
      copy: src=files/puppet/{{ item }} dest=/tmp/{{ item }}
      with_items:
      - utilities
      - answers.remove
    
    - name: run uninstall script
      command: "/tmp/puppet-enterprise-uninstaller -a /tmp/answers.remove"

    - name: cleanup
      file: path=/tmp/{{ item }} state=absent
      with_items:
      - utilities
      - answers.remove  
      - puppet-enterprise-uninstaller 
      
    when: rpm_check.rc == 0

Libreboot version 20160818 released

Libreboot version 20160818 released

The new version of Librebot was just released which brings new hardware compatibility and tons of great improvements. I am excited to update my Lenovo x200s and will make sure to update this post with a quick overview of my experience.

This is one of features that really popped out for me:

256MiB VRAM allocated on GM45 (X200, T400, T500, R400) instead of 32MiB. This is an improvement over both Lenovo BIOS and Libreboot 20150518, allowing video decoding at 1080p to be smoother. (thanks Arthur Heymans) To clarify, GM45 video performance in libreboot 20160818 is better than on the original BIOS and the previous libreboot release.

They also improved battery life across multiple models.

You can read all the changes here and download the software from their website.

https://lists.nongnu.org/archive/html/libreboot/2016-08/msg00040.html


Update, 8-22-16

The upgrade was really straight forward and worked great on my x200s. Anyone who has already flashed a laptop will already know everything they need to upgrade.

The guide can be found here. Make sure to merge your MAC address into the rom before upgrading.

flash

Update, 9-15-16

A bugfix version, 20160907, was released on 2016-09-07. It does not contain any board changes, but make sure to use the latest one while upgrading.

FAILED at 0x00000000! Expected=0xff, Found=0x00

FAILED at 0x00000000! Expected=0xff, Found=0x00

I spent the last couple days pulling my hair out trying to figure out why flashrom kept failing to flash my Lenovo x220 with coreboot. I was able to get a successful backup of my firmware after shortening the cables, but for some reason writing and image kept failing. When running the command the chip would randomly not be found or sometimes acted like it disconnected during the operation. At this point my laptop was bricked and I was having trouble finding anyone else on the internet having the same problem.

I am using the BeagleBone Black as a SPI flasher and it has been successful in the past with my Lenovo x200s. The flash chip was powered with 3.3V from a cheap breadboard power supply. The Libreboot project provides a really nice guide and some troubleshooting tips.
Screenshot from 2016-08-15 13-10-26
I was suspicious that the power supply wasn’t supplying a stable 3.3V so I ordered an expensive Sparkfun model and a Teensy 3.2 as a good backup plan.

After receiving my order, the off brand and Sparkfun breadboard power supplies did show any positive improvements to my problem. However, pulling 3.3 voltage from the Teensy did. I was able to flash and boot my laptop. I believe my main issue was the fact that voltage was not stable or high enough to properly flash the chip. The chart below shows the measured voltage outputs using a decent multimeter:

5V – 2A 9V – 650mA 12V – 1A (Linksys) USB
Black 2.835v 3.256v 3.306v
White 3.248v 3.249v 3.250v
Red(Sparkfun) 3.278v 3.277v 3.278v
Teensy 3.289v

This chart makes me think that my original method using the black breadboard power supply and the Linksys wall adapter should have worked. However, I am not sure how to measure voltage under draw and maybe it dropped to low when the write started. I also did not test all of the above options for flashing. It is important to note how much the power supplies are affected by different power adapters.

Conclusion

My theory is that I did not have problems flashing my x200s because the flash chip was older and smaller which required less voltage to write. Reading a chip might also require less voltage which is how I got a good backup and was able to build my coreboot image. I do not pretend to be an expert in electronics so please correct me in the comments if you have a better idea than me. I am just trying to provide my findings to hopefully help another person.

Next time my flash is failing the first thing I will do is pull out a multimeter and double check the voltage.

Edit (8-2-2017): I found out that a 5v adapter and the USB connection on the BeagleBone Black makes the built-in 3.3V pinout work just fine. I saw this in some other documentation recently and I am not sure if it is new or if I overlooked it before.

IMG_20160813_114653

Dumping Comodo for Let’s Encrypt

Dumping Comodo for Let’s Encrypt

I have been trying to support the open source and free software communities more over the past couple years. Linux has become a big part of my job and I use free software every day instead of Windows. I was especially excited about Let’s Encrypt because they provide anyone a free and trusted certificate at zero cost. Since Let’s Encrypt became available to the public, it has issued more than five million certificates [1].

In the past Comodo has made some questionable decisions and most recently they tried to steal the Let’s Encrypt trademark. I imagine Comodo saw Let’s Encrypt as a threat and damaging to their business of selling certificates. Thankfully Let’s Encrypt reached out to the community and we spoke out. Long story short, Comodo backed off and removed their trademark requests. I assume most people may already know about it, but you can read a summary here.

After I saw the response from Comodo’s CEO, Melih, I contacted Namecheap who resells Comodo certificates. Melih is clearly confused and does not understand the difference between giving customers a 90-day free trial and giving certs away for free and forever. Amazingly, as of July 23, 2016, Comodo has not pulled down the forum post from their CEO [2], but I uploaded a backup screen shot here just in case. After this shady move, Namecheap said they appreciate the current partnership. So now it is time for me to personally stop supporting Comodo and switch to Let’s Encrypt.

[1]https://letsencrypt.org/2016/06/22/https-progress-june-2016.html

[2]https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/shame-on-you-comodo-t115958.0.html

The Best CPU Cooler – Period

The Best CPU Cooler – Period

I recently built a tower server to provide room for a nice GPU. I had most of the parts already because I was pulling them from a rack mount server chassis, but I knew that regular heat sinks would not be sufficient. I then discovered, the hard way, that the Cooler Master 212 EVO does not fit on server LGA1366. The screws were not able to thread into the Xeon backplate. The Cooler Master used to be my go to cooler for desktop applications. After the Cooler Masters were returned, I ordered a set of Intel Server/Workstation coolers because I knew they would be compatible. They did a decent job, but had an unbearable loud whine to them. I keep my servers in the spare bedroom next to mine and you could just hear the things screaming away through the door/walls.

After I little more research I settled on spending more money and ordering two Noctua i4 CPU Coolers. Their website clearly shows they are compatible with the LGA1366 socket and Xeon backplate. There were also some good reviews from people online saying these fans were quiet and worked well. The only bad reviews were the ones where people did not realized they were shipped a server CPU cooler and had to order the motherboard backplate separately.

Read More Read More

Proxy Plex through Apache on Debian

Proxy Plex through Apache on Debian

I have used Plex on and off for a while. After spending some time away from home I decided to get the software set up again. Plex makes it easy for less technical people, but it feels like some control is removed from advanced users. My first pet peeve was that there is not a great way to change the port or URL. You are stuck with something that looks like http://127.0.0.1:32400/web/. Second, to enable TLS they recommend you configure Remote Access. Remote Access will allow you to log into their protected website and it will direct you to the server. It is magic, but you loose the ability to use your own domain name.

I have been using Apache proxies at work for a few projects and wanted to setup the same thing for Plex. It turns out Matt Coneybeare decided to do this in 2013. Matt’s walk through is really good and you can find it here. I wanted to take it a step further and configure https/redirection.

Read More Read More