Free the Meraki MR24 w/ LEDE Project

Free the Meraki MR24 w/ LEDE Project

The LEDE Project (“Linux Embedded Development Environment”) is a Linux operating system based on OpenWrt.
https://lede-project.org/start

I have used OpenWrt in the past and had not heard of the LEDE Project until I was researching the ability to reflash Meraki gear. I picked up a couple Meraki MR24s for cheap on ebay after finding out they were supported. The hardware is a 3×3 MIMO 802.11n access point which supports up to 900 Mbps. If you are not familiar with Meraki, it is cloud based gear that is managed from the cloud and requires users to purchase a yearly license.

A GitHub user named riptidewave93 posted code and a flashing guide to liberate the Meraki and convert it to a standard access point. His work was merged into the LEDE Project, but has not made it into OpenWRT yet.

His flashing process is pretty straight forward, but doesn’t cover the UART pins which can be found here:

To open the case you need a T6 Torx bit and I used a knife to pry the metal case past the plastic.

On the other side I hooked up my USB to Serial adapter and booted into LEDE.

Some of the information was all over the place which is why I consolidated it here. The AP has been working great and it is worth the cost if you are looking for an enterprise level Wireless-N device.

Separating Work/Life Data

Separating Work/Life Data

As a system administrator I deal with a lot of different systems and accounts on a daily basis. Over the last six months I have been struggling with the idea of splitting work from my personal life. I would like to keep them separate, but the thought of carrying two laptops makes me cringe.

Qubes OS aims to solve this problem and many others by splitting these actives into different AppVMs. Qubes OS 3.2 was released recently and I thought now would be a good time to try switching.

After installing Qubes, I had it create the basic AppVMs. These included untrusted, personal, and work. I am a big fan of Debian so I switched all the default VMs to the debain-8 template. The last step was to configure my personal and work AppVMs which included a new LastPass account and adding some applications to the template.

Now I will work on getting used to the new work flow and plan on adding interesting information to the blog as I run across it.

screenshot_2016-11-30_16-54-53

Uninstalling PE from agent nodes

Uninstalling PE from agent nodes

At work we switched from using Puppet Enterprise to Ansible for a variety of reasons. After the switch I disabled the Puppet agents, but never got around to uninstalling all of them.

Recently, I ran into an issue where one server suddenly turned the Puppet agent back on and reverted changes that were made. I decided it was time to clean up the mess, but Puppet requires files from the server in order to uninstall the agent and my server was long gone.

This document covers the agent uninstall process: https://docs.puppet.com/pe/latest/install_uninstalling.html#uninstalling-pe-from-agent-nodes

I uploaded the necessary files here, in order to prevent myself or other people from installing Puppet Enterprise again to retrieve them: pe-uninstall.zip

ansibleThe next step was to create an Ansible job to copy these to the server and run the uninstall script. Easy.

https://bitbucket.org/blissjoe/ansible-remove-peagent/overview


---
- hosts: puppet
  become: true
  tasks:
  
  - name: check for pe-agent
    command: rpm -q pe-agent
    register: rpm_check
    ignore_errors: true
    
  - block:  
    - name: copy uninstall script
      copy: src=files/puppet/puppet-enterprise-uninstaller dest=/tmp/puppet-enterprise-uninstaller mode="u+rwx"
    
    - name: copy utils and answers
      copy: src=files/puppet/{{ item }} dest=/tmp/{{ item }}
      with_items:
      - utilities
      - answers.remove
    
    - name: run uninstall script
      command: "/tmp/puppet-enterprise-uninstaller -a /tmp/answers.remove"

    - name: cleanup
      file: path=/tmp/{{ item }} state=absent
      with_items:
      - utilities
      - answers.remove  
      - puppet-enterprise-uninstaller 
      
    when: rpm_check.rc == 0

Libreboot version 20160818 released

Libreboot version 20160818 released

The new version of Librebot was just released which brings new hardware compatibility and tons of great improvements. I am excited to update my Lenovo x200s and will make sure to update this post with a quick overview of my experience.

This is one of features that really popped out for me:

256MiB VRAM allocated on GM45 (X200, T400, T500, R400) instead of 32MiB. This is an improvement over both Lenovo BIOS and Libreboot 20150518, allowing video decoding at 1080p to be smoother. (thanks Arthur Heymans) To clarify, GM45 video performance in libreboot 20160818 is better than on the original BIOS and the previous libreboot release.

They also improved battery life across multiple models.

You can read all the changes here and download the software from their website.

https://lists.nongnu.org/archive/html/libreboot/2016-08/msg00040.html


Update, 8-22-16

The upgrade was really straight forward and worked great on my x200s. Anyone who has already flashed a laptop will already know everything they need to upgrade.

The guide can be found here. Make sure to merge your MAC address into the rom before upgrading.

flash

Update, 9-15-16

A bugfix version, 20160907, was released on 2016-09-07. It does not contain any board changes, but make sure to use the latest one while upgrading.

FAILED at 0x00000000! Expected=0xff, Found=0x00

FAILED at 0x00000000! Expected=0xff, Found=0x00

I spent the last couple days pulling my hair out trying to figure out why flashrom kept failing to flash my Lenovo x220 with coreboot. I was able to get a successful backup of my firmware after shortening the cables, but for some reason writing and image kept failing. When running the command the chip would randomly not be found or sometimes acted like it disconnected during the operation. At this point my laptop was bricked and I was having trouble finding anyone else on the internet having the same problem.

I am using the BeagleBone Black as a SPI flasher and it has been successful in the past with my Lenovo x200s. The flash chip was powered with 3.3V from a cheap breadboard power supply. The Libreboot project provides a really nice guide and some troubleshooting tips.
Screenshot from 2016-08-15 13-10-26
I was suspicious that the power supply wasn’t supplying a stable 3.3V so I ordered an expensive Sparkfun model and a Teensy 3.2 as a good backup plan.

After receiving my order, the off brand and Sparkfun breadboard power supplies did show any positive improvements to my problem. However, pulling 3.3 voltage from the Teensy did. I was able to flash and boot my laptop. I believe my main issue was the fact that voltage was not stable or high enough to properly flash the chip. The chart below shows the measured voltage outputs using a decent multimeter:

5V – 2A 9V – 650mA 12V – 1A (Linksys) USB
Black 2.835v 3.256v 3.306v
White 3.248v 3.249v 3.250v
Red(Sparkfun) 3.278v 3.277v 3.278v
Teensy 3.289v

This chart makes me think that my original method using the black breadboard power supply and the Linksys wall adapter should have worked. However, I am not sure how to measure voltage under draw and maybe it dropped to low when the write started. I also did not test all of the above options for flashing. It is important to note how much the power supplies are affected by different power adapters.

Conclusion

My theory is that I did not have problems flashing my x200s because the flash chip was older and smaller which required less voltage to write. Reading a chip might also require less voltage which is how I got a good backup and was able to build my coreboot image. I do not pretend to be an expert in electronics so please correct me in the comments if you have a better idea than me. I am just trying to provide my findings to hopefully help another person.

Next time my flash is failing the first thing I will do is pull out a multimeter and double check the voltage.

IMG_20160813_114653

Dumping Comodo for Let’s Encrypt

Dumping Comodo for Let’s Encrypt

I have been trying to support the open source and free software communities more over the past couple years. Linux has become a big part of my job and I use free software every day instead of Windows. I was especially excited about Let’s Encrypt because they provide anyone a free and trusted certificate at zero cost. Since Let’s Encrypt became available to the public, it has issued more than five million certificates [1].

In the past Comodo has made some questionable decisions and most recently they tried to steal the Let’s Encrypt trademark. I imagine Comodo saw Let’s Encrypt as a threat and damaging to their business of selling certificates. Thankfully Let’s Encrypt reached out to the community and we spoke out. Long story short, Comodo backed off and removed their trademark requests. I assume most people may already know about it, but you can read a summary here.

After I saw the response from Comodo’s CEO, Melih, I contacted Namecheap who resells Comodo certificates. Melih is clearly confused and does not understand the difference between giving customers a 90-day free trial and giving certs away for free and forever. Amazingly, as of July 23, 2016, Comodo has not pulled down the forum post from their CEO [2], but I uploaded a backup screen shot here just in case. After this shady move, Namecheap said they appreciate the current partnership. So now it is time for me to personally stop supporting Comodo and switch to Let’s Encrypt.

[1]https://letsencrypt.org/2016/06/22/https-progress-june-2016.html

[2]https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/shame-on-you-comodo-t115958.0.html

The Best CPU Cooler – Period

The Best CPU Cooler – Period

I recently built a tower server to provide room for a nice GPU. I had most of the parts already because I was pulling them from a rack mount server chassis, but I knew that regular heat sinks would not be sufficient. I then discovered, the hard way, that the Cooler Master 212 EVO does not fit on server LGA1366. The screws were not able to thread into the Xeon backplate. The Cooler Master used to be my go to cooler for desktop applications. After the Cooler Masters were returned, I ordered a set of Intel Server/Workstation coolers because I knew they would be compatible. They did a decent job, but had an unbearable loud whine to them. I keep my servers in the spare bedroom next to mine and you could just hear the things screaming away through the door/walls.

After I little more research I settled on spending more money and ordering two Noctua i4 CPU Coolers. Their website clearly shows they are compatible with the LGA1366 socket and Xeon backplate. There were also some good reviews from people online saying these fans were quiet and worked well. The only bad reviews were the ones where people did not realized they were shipped a server CPU cooler and had to order the motherboard backplate separately.

Read More Read More

Proxy Plex through Apache on Debian

Proxy Plex through Apache on Debian

I have used Plex on and off for a while. After spending some time away from home I decided to get the software set up again. Plex makes it easy for less technical people, but it feels like some control is removed from advanced users. My first pet peeve was that there is not a great way to change the port or URL. You are stuck with something that looks like http://127.0.0.1:32400/web/. Second, to enable TLS they recommend you configure Remote Access. Remote Access will allow you to log into their protected website and it will direct you to the server. It is magic, but you loose the ability to use your own domain name.

I have been using Apache proxies at work for a few projects and wanted to setup the same thing for Plex. It turns out Matt Coneybeare decided to do this in 2013. Matt’s walk through is really good and you can find it here. I wanted to take it a step further and configure https/redirection.

Read More Read More

Security in 2016

Security in 2016

We are planning an upgrade to a software package called PacketFence. PacketFence calls themselves, “a fully supported, trusted, Free and Open Source network access control (NAC) solution.” I was excited for this project because I am making a push to upgrade servers to newer versions of Red Hat. However, I was extremely disappointed after reviewing their server requirements. This is 2016 and companies are still requesting that security measures such as SELinux, and in this case, even the firewall gets disabled. I understand that it is an open source product, but we pay for the commercial support. Software providers should be vigilant while protecting their users. PacketFence is certainly not the only offender of this… they were just the ones I was looking at while having the motivation for a blog post. Cough, Cough, Ellucian.pf_requirementsThe site goes on to say:

Regarding SELinux or AppArmor, even if these features may be wanted by some organizations, PacketFence will not run properly if SELinux or AppArmor are enabled.

The focus in 2016 has been on encryption and many people are calling it the Crypto Wars 2.0, but we can’t forget about enabling and pushing other security measures as well. SELinux is commonly the first thing people disable when they have problems instead of trying to understand and incorporate it into their security plan. Some banks are still using lousy security questions, not supporting strong passwords, and have no method of enabling two-factor authentication. Anyone with a Facebook account and Google can probably figure out where you went to high school.

If people are not requesting the features then they will not be added. I reached out to PacketFence on Twitter and will hopefully hear back some good news.

pf_tweet

By the way, Red Hat released a fun coloring book to help administrators learn SELinux!

https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

Libreboot X200s Flashchip Replacement

Libreboot X200s Flashchip Replacement

In my first Libreboot post I talked about how awesome the project is and how I decided to order a Lenovo X200s on eBay to give it a try. While reading the documentation they talk about how the X200s using a WSON flash chip instead of a SOIC chip that the other laptops use. The downside to this is that they do not have a clip on programmer and it requires you solder directly to the pins. The author includes a note that you might be able to replace the chip with the one that comes in the X201.

http://libreboot.org/docs/install/x200_external.html#clip

For 8MiB capacity in this case, the X201 SOIC-8 flash chip (Macronix 25L6445E) might work.

Honestly this is not really a problem but I saw an opportunity to possibly help someone else and the project by giving this a try. If you were to brick the firmware after your initial flash you would have to open everything up and solder the board again. I ordered the two parts on Digikey: 1092-1065-ND for the recommended SOIC flash chip and 923655-08-ND for the test clip. It looks like you can get cheaper test clips online but I stuck with ordering from a single source.

The Process

The first step was to tear the laptop apart so I could easily get to the flash chip on the bottom. After that I wanted to carefully remove the original WSON package so if things do not work out I will be able to put it back on and not destroy the laptop. If you are new to soldering I would not recommend you try this project. The actually process of removing the WSON chip was a lot harder than I expected. You need to be careful not to get the chip and the board too hot. In the middle under the chip there is solder that needs to be heated up as well as the pins.

wsonIMG_20160104_233619862

Conclusion

I decided to abandon the process because it was much more difficult to remove the chip than it was to solder wires to it. If I had a hot air rework station and more experience this would have been possible without destroying the board.

I was also able to successfully flash the chip before it was connected to the motherboard. I actually grounded pins 3 and 7 during the flash process instead of hooking them up to 3.3V.

I think I will save my extra chips to see if I can replace the 4MBit ones that are on the Gigabyte motherboard I just got off eBay… article coming soon.

IMG_20160104_225730122